URL Filtering Based On URIs on Palo Alto Firewalls

We get some requests such as blocking the base domain and to only allow certain pages on websites based on the URIs — that which comes after the “/” e.g.

hostname.com – block
hostname.com/page2 – allow

You need the URL filtering license to be able to do this. 

Initially, I tried it with a single policy which failed, then using two policies you can get the exact filtering. 

I am using Daniel Miessler’s blog for demonstration. We will allow /blog, /popular, and /study and block the base hostname.

danielmiessler.com – block

And these to be allowed with everything being blocked. 


Note: open the images in a new tab for larger sizes

Create a custom object URL category of paths to allow



Repeat this for the base domain to be blocked


panos base domain to block


Add them to URL filtering objects and set the proper Actions. 

Note the actions, getting them right is the most important here.


panos url filtering allowed paths
this goes in the first security policy, the paths category object is set to allow


panos url base domain block
this goes in the second security policy with action deny, the block base domain category object is set to block with paths set to none


Create both security policies to allow the paths and to deny the base domain

panos path allowed

panos block base
ignore the blurred part and just use the block domain URL filtering which you created before


The final policy order with allow rule before the deny one. 

panos url filtering rule order


And that’s all there is to it folks! You can try other variations of this, I’ll update the post if I come across something.